262 
Configuring the packet capture 
To use the packet capture feature, you must install the feature image by using the boot-loader, 
install, or issu command. For more information about the commands, see Fundamentals Command 
Reference. 
Overview 
The packet capture feature captures incoming packets that are to be forwarded in CPU. The feature 
displays the captured packets on the terminal in real time, and allows you to save the captured 
packets to a .pcap file for future analysis. Packet capture can read both .pcap and .pcapng files. 
Filter elements 
Packet capture supports capture filters and display filters. You can use expressions to match packets 
to capture or display. 
A capture or display filter contains a keyword string or multiple keyword strings that are connected by 
operators. 
Keywords include the following types: 
• Qualifiers—Fixed keyword strings. For example, you must use the ip qualifier to specify the 
IPv4 protocol. 
• Variables—Values supplied by users in the required format. For example, you can set an IP 
address to 2.2.2.2 or any other valid values. 
A variable must be modified by one or multiple qualifiers. For example, to capture any packets sent 
from the host at 2.2.2.2, use the filter src host 2.2.2.2. 
Operators include the following types: 
• Logical operators—Perform logical operations, such as the AND operation. 
• Arithmetic operators—Perform arithmetic operations, such as the ADD operation. 
• Relational operators—Indicate the relation between keyword strings. For example, the = 
operator indicates equality. 
This document provides basic information about these elements. For more information about 
capture and display filters, go to the following websites: 
•  http://wiki.wireshark.org/CaptureFilters
. 
•  http://wiki.wireshark.org/DisplayFilters
. 
Capture filter keywords 
Table 31 and Table 32 describe the qualifiers and variables for capture filters, respectively. 
Table 31 Qualifiers for capture filters 
Category Description  Examples 
Protocol 
Matches a protocol.  
If you do not specify a protocol 
qualifier, the filter matches any 
supported protocols. 
•  arp—Matches ARP. 
•  icmp—Matches ICMP. 
•  ip—Matches IPv4. 
•  ip6—Matches IPv6. 
•  tcp—Matches TCP. 
•  udp—Matches UDP.